[NOOB] CSRF check failed. [SOLVED] => ReInstall

[MarieSophieSG]

Hello,
This morning,
I log in to my OPNsense GUI as usual, but got this instead:

Code Select Expand

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
Config is the same as it was yesterday
What did I do wrong this time ?

While searching the forum, I found an old post mentioning this problem, but it'S only a question, no answer, no workaround ...

[bartjsmit]

Sounds like a stale cookie is making OPNsense think you're not legit. This is a client (browser) side issue.

Try from an icognito/private windows or use a different browser. Dropping cache may help but it is a hassle.

Bart...

[cookiemonster]

Indeedledy. Just to add:
Usually a close tab, then open solves.
Sometimes it needs a new broser session, but rarely.
As Bart says, stale bowser session cookie.

[MarieSophieSG]

Same result in private window
Same result in different browser

From Laptop1 on LAN1 =
Access to Interface GUI )192.168.101.101) ok, I have the log-in page, I enter my login and password, and *then*
on Brave: move to HTTP:// (instead of HTTPS:) with CSFR error msg
On FF: Stays on HTTPS:// with CSRF error msg

Same test, same results from Tablet on LAN2 (accessing 192.168.102.101) ...
Same test, same results from Laptop2 on LAN2 (accessing 192.168.102.101) ...
Same test, same results from Laptop4 on LAN3 (accessing 192.168.103.101) ...

SSH from Laptop1 => root access OK

[cookiemonster]

just refreshing the page the problem not going away?
Some browser extension blocky thingie?

[MarieSophieSG]

just refreshing the page the problem not going away?
Some browser extension blocky thingie?

No browser extension, same browser as yesterday, no change
Tried different browser, from 4 devices (on all 3 LAN)
Seems to be centralised to OPNsense, not client specific

Devices on LAN2 have access to the WiFi router AP GUI, connect + login, no problem

So it seems it's only OPNsense
Since I have access to the SSH, I'm wondering if I should restart with a previous BU, but ... IDK what change I did that triggered this BU, therefore if I revert, I will lose the last changes which I don't remember about :(

[meyergru]

Potentially, the system time is off on either OpnSense or your clients?

[cookiemonster]

And, still same issue right:?

Code Select Expand

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.

No, don't restore a Boot Environment. This is just client side message saying the session cookie has expired, nothing else.
Ctl+Shift+I on windows machine brings the dev tools console. Refresh the page and see on the network "tab" of this tool what shows. From there you can also remove the cookie stored. Storage "tab".

[MarieSophieSG]

Potentially, the system time is off on either OpnSense or your clients?

SSH - 8 shell the time is the same as for the clients

[MarieSophieSG]

And, still same issue right:?

Code Select Expand

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.

No, don't restore a Boot Environment. This is just client side message saying the session cookie has expired, nothing else.
Ctl+Shift+I on windows machine brings the dev tools console. Refresh the page and see on the network "tab" of this tool what shows. From there you can also remove the cookie stored. Storage "tab".

On all 5 clients all at the same time ?

All cookies and cash cleared on Laptop1 (192.168.101.102) to 192.168.101.101 => no change
Ctrl-shft-I on Laptop4 (192.168.103.102) => 192.168.103.101 - 403 Forbidden

[bartjsmit]

Can you try browsing to the IP address (ignore the cert warning, of course) and/or add an entry for the firewall name in your hosts file?

[MarieSophieSG]

Can you try browsing to the IP address (ignore the cert warning, of course) and/or add an entry for the firewall name in your hosts file?

I can browse to the IP, since it's giving me the login page, but it's when I enter my credential and hit send that I got the CSRF error message

Adding an entry for the FW name in my host ? I have no idea what that is

[MarieSophieSG]

I went ahead and reverted to last BU in my list
SSH => 8 shell => 13 revert => 1 last change

Error, No space left !

what ? how did it fill-up 90Gb of disk in one night ??
I guess I left some tracking on overnight ...

So no trying option 5, turn off
Otherwise, hard kill.

[viragomann]

Error, No space left !

what ? how did it fill-up 90Gb of disk in one night ??

df -h

?

[cookiemonster]

Let's check the disk usage:
SSH to the machine, change directory to the root, then df -h

Code Select Expand

$ cd /
$ df -h
Then let's have a little look at the partitions:

Code Select Expand

$ gpart show

Previous:
> On all 5 clients all at the same time ?
No, this web dev tools is useful to delete specific cookies and to analyse the browser-server conversation. Just the one machine being used to diagnose is sufficient.

For seeing if you can trace the login error on the server side you could try (with root permissions):

Code Select Expand

# cat /var/log/audit/latest.log | grep 'WebGui'
after the attempt to login. Should leave a trace. 403 Forbidden is good in a way.
Are you logging in as a user you created previously that is not "root"?
If as root and perhaps the password is wrong, you can reset it from the console main menu, option 3

And just so we know the right port and interface where lighttpd is listening can you post also the result of (in code quotes here):

Code Select Expand

# sockstat | grep light

Finally, it would be good also to see the ifconfig result:

Code Select Expand

#ifconfig
you can redact your public ip if you wish for privacy. We just need the rest.